An online service can perform various levels of authentication of an electronic communication or of a user prior to allowing the user to access data from an internal system of the online service. The various levels of authentication can be selected based on the risk of the user or the sensitivity of information that can be accessed by the user being successfully authenticated. One level may involve requiring a correct username and password to be received electronically from the user. Another level may be to require receiving a code transmitted in an out-of-band channel to the user according to stored contact information for the user. A further level may involve asking the user for answers to questions developed based on third-party sources, such as government or private databases listing prior addresses associated with an identity of the user.
But the risk of fraud still exists as personal data usable to overcome these authentication levels may be accessible to unscrupulous individuals. Furthermore, cyber-attacks from foreign-based individuals are a problem. These individuals may use proxy servers to appear as if electronic communications from user devices are originating from the proxy servers, rather than the user devices. In combination with that and personal data about the user that may be known, these unscrupulous individuals may be able to overcome authentication levels and fraudulently access data. Moreover, determining a proper level of authentication can be challenging. Authentication processes that are too involved may deter legitimate users from benefiting from accessing a system, while processes that are too limited may increase risk of fraudulent activity.